By Ron Newman\nPicture this: A CISO is speaking before their company\u2019s board of directors and one board member asks a series of difficult questions. \u201cWhat did we get for the $15 million we spent on cybersecurity last year? How can we measure our return on investment? How do we know our security defenses are actually providing us the security we expect?\u201d\nFor many years, it\u2019s been difficult for CISOs to supply metrics. While many have been able to tell board members how many attacks their security teams and technologies mitigated each year, it\u2019s often hard to give additional context by explaining exactly how effective their security measures were, and what they did to get them to that stage of effectiveness.\nEnter breach and attack simulation\nIn recent years, smart companies have had a more aggressive method to continuously test security controls via Breach and Attack Simulation (BAS). These security controls validation platforms provide an automated and continuous simulation of a variety of cyberattacks, including insider threats and lateral movements by attackers, giving companies constant feedback about the effectiveness of their security measures benchmarked against the MITRE ATT&CK framework.\nThe controls validation platforms use machine learning and other automated tools to continuously probe a company\u2019s IT environment for weaknesses. As a result, CISOs are continuously armed with the current information they need to support the business case for cybersecurity resources when addressing the rest of the C-Suite and board of directors. In some cases, that may mean asking for a cybersecurity budget increase to address deficiencies the security controls validation platform has identified. In other cases, it may mean validating the existing cybersecurity budget as a good return on investment.\nBAS is viewed as a useful tool by leading technology companies, such as Splunk. Splunk\u2019s VP, Product Management, Security Jane Wong recently stated, \u201cIn lock step with our partner community, Splunk integrates with attack simulation tools and leverages best in class capabilities for important customer outcomes. With Breach and Attack Simulation, the Splunk ecosystem gets actionable meta-data to enable customers to not only validate the efficacy of their controls, but to ensure automated response is in place for any attacks that are simulated.\u201d\nDon\u2019t replace, but add on\nIt\u2019s worth noting here that Breach and Attack Simulation isn\u2019t intended to replace other cybersecurity measures and controls. It\u2019s another important part of a holistic cybersecurity operations model and, used in conjunction with real-time threat detection and response (containment and isolation), can help companies move toward a stronger security posture.\nSome companies may be tempted to use controls validation platforms to replace periodic penetration testing or red team attacks \u2013 human-led evaluations of a company\u2019s cybersecurity posture. Though there may be some overlap between the two approaches, there\u2019s value in using both. For example, penetration testing can be done randomly every few months, whereas a controls validation platform operates continuously.\nPenetration testing or red team attacks can bring a human element into attack simulations, and the use of a security controls validation platform can help focus a red team attack on areas that a company believes may need additional scrutiny. In return, red teams may be able to point out methodologies that can be used to expand the controls validation platform.\nIs your organization ready for the next big threat?\nFind out how cyber-resilient your business is via this cybersecurity maturity assessment.